patterns/waf_patterns/apache/php.conf

# Apache ModSecurity rules for PHP
SecRuleEngine On

SecRule REQUEST_URI "@pm\ \?>" "id:1127,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1124,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\|pu\)t\|get\(\?:s\?s\|c\)\|scanf\|write\|open\|read\)\|gz\(\?:\(\?:encod\|writ\)e\|compress\|open\|read\)\|s\(\?:ession_start\|candir\)\|read\(\?:\(\?:gz\)\?file\|dir\)\|move_uploaded_file\|\(\?:proc_\|bz\)open\|call_user_func\)\|\$_\(\?:\(\?:pos\|ge\)t\|session\)\)b" "id:1171,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\.\*\.ph\(\?:pd\*\|tml\|ar\|ps\|t\|pt\)\.\*\$" "id:1120,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\|x\[\^m\]\|xm\[\^l\]\|xml\[\^s\]\|xml\$\|\$\)\|<\?php\|\[\(\?:/\|x5c\)\?php\]\)" "id:1119,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\|out\|err\)\|\(\?:in\|out\)put\|fd\|memory\|temp\|filter\)" "id:1122,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\|php\)\?s\+" "id:1172,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\(\?:bzip2\|expect\|glob\|ogg\|\(\?:ph\|r\)ar\|ssh2\(\?:\.\(\?:s\(\?:hell\|\(\?:ft\|c\)p\)\|exec\|tunnel\)\)\?\|z\(\?:ip\|lib\)\)://" "id:1123,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "AUTH_TYPE\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\|ENCODING\|LANGUAGE\)\)\?\|CONNECTION\|\(\?:HOS\|USER_AGEN\)T\|KEEP_ALIVE\|\(\?:REFERE\|X_FORWARDED_FO\)R\)\|ORIG_PATH_INFO\|PATH_\(\?:INFO\|TRANSLATED\)\|QUERY_STRING\|REQUEST_URI" "id:1125,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "\.\*\.\(\?:phpd\*\|phtml\)\.\.\*\$" "id:1126,phase:1,deny,status:403,log,msg:'php attack detected'"
SecRule REQUEST_URI "@pm\ =" "id:1121,phase:1,deny,status:403,log,msg:'php attack detected'"
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:35:03 UTC 2024] 2024-12-21 00:35:03 +00:00			`# Apache ModSecurity rules for PHP`
			`SecRuleEngine On`

Update: [Mon Jan 13 00:29:11 UTC 2025] 2025-01-13 00:29:11 +00:00			`SecRule REQUEST_URI "@pm\ \?>" "id:1127,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\[oOcC\]:d\+:"\.\+\?":d\+:\{\.\*\}" "id:1124,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\(\?:b\(\?:f\(\?:tp_\(\?:nb_\)\?f\?\(\?:ge\\|pu\)t\\|get\(\?:s\?s\\|c\)\\|scanf\\|write\\|open\\|read\)\\|gz\(\?:\(\?:encod\\|writ\)e\\|compress\\|open\\|read\)\\|s\(\?:ession_start\\|candir\)\\|read\(\?:\(\?:gz\)\?file\\|dir\)\\|move_uploaded_file\\|\(\?:proc_\\|bz\)open\\|call_user_func\)\\|\$_\(\?:\(\?:pos\\|ge\)t\\|session\)\)b" "id:1171,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\.\\.ph\(\?:pd\\\|tml\\|ar\\|ps\\|t\\|pt\)\.\*\$" "id:1120,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\(\?:<\?\(\?:\[\^x\]\\|x\[\^m\]\\|xm\[\^l\]\\|xml\[\^s\]\\|xml\$\\|\$\)\\|<\?php\\|\[\(\?:/\\|x5c\)\?php\]\)" "id:1119,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\(\?i\)php://\(\?:std\(\?:in\\|out\\|err\)\\|\(\?:in\\|out\)put\\|fd\\|memory\\|temp\\|filter\)" "id:1122,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\(\?i\)<\?\(\?:=\\|php\)\?s\+" "id:1172,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\(\?:bzip2\\|expect\\|glob\\|ogg\\|\(\?:ph\\|r\)ar\\|ssh2\(\?:\.\(\?:s\(\?:hell\\|\(\?:ft\\|c\)p\)\\|exec\\|tunnel\)\)\?\\|z\(\?:ip\\|lib\)\)://" "id:1123,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "AUTH_TYPE\\|HTTP_\(\?:ACCEPT\(\?:_\(\?:CHARSET\\|ENCODING\\|LANGUAGE\)\)\?\\|CONNECTION\\|\(\?:HOS\\|USER_AGEN\)T\\|KEEP_ALIVE\\|\(\?:REFERE\\|X_FORWARDED_FO\)R\)\\|ORIG_PATH_INFO\\|PATH_\(\?:INFO\\|TRANSLATED\)\\|QUERY_STRING\\|REQUEST_URI" "id:1125,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "\.\\.\(\?:phpd\\\|phtml\)\.\.\*\$" "id:1126,phase:1,deny,status:403,log,msg:'php attack detected'"`
			`SecRule REQUEST_URI "@pm\ =" "id:1121,phase:1,deny,status:403,log,msg:'php attack detected'"`